Secure embedded systems typically rely on encrypted communication with secret keys stored within a secure device. Such secure embedded systems may also contain other security critical information (e.g., certificates, serial numbers, customization identifiers (IDs), or monotonic NVM counters). This information can be stored in the NVM of a flash microcontroller. NVM, however, is not considered secure enough for general usage because it is prone to known attack types.
For example, side channel attacks are particularly easy to execute and can reveal the Hamming weight of the keys written to or read from NVM. This is an issue for NVM since the sense amplifiers used to read NVM have a strong current signature. Another known attack type is intrusive reverse engineering, which can allow readout of NVM bit cells and reveal their contents. While a more advanced method of attack, the reverse engineering can be subcontracted to companies with special equipment. NVM is far more prone to such attacks than random access memory (RAM) since the cells retain their data even in a highly intrusive attack.
If more than a bare minimum of security is needed, a secure element can be used to handle secret keys in an application, such as a separate chip designed for protecting security critical information against attacks. Such secure elements, however, add to the bill of material (BOM) cost, board space and complexity of the application.